[ISN] Experts struggle with cybersecurity agenda

From: InfoSec News (alerts@private)
Date: Thu May 01 2008 - 01:59:42 PDT


http://www.gcn.com/online/vol1_no1/46189-1.html

By William Jackson
GCN Staff
04/28/08

Whoever becomes our next president will inherit a cyber infrastructure 
under almost constant attack and at greater risk than eight years ago, 
and a handful of experts and legislators have come together to ensure 
that cybersecurity has a high priority in his or her administration.

The Commission on Cyber Security for the 44th Presidency, set up in 
November by the Center for Strategic and International Studies, held the 
second of five planned public meetings Monday to hear recommendations on 
issues of information security, identity theft and government 
leadership.

Cybersecurity is not a technical issue, panelists said, but a matter of 
culture, education and self-interest. Government cannot regulate 
information technology security, and industry cannot do the job by 
itself. Forging the public/private partnership needed to provide 
adequate security will require leadership in both government and 
industry. Cooperation between the two spheres may not be easy to come 
by, said John Koskinen, who spearheaded the government response to the 
Year 2000 Transition.

"The private sector is always nervous about what the government is up 
to," Koskinen said. Business deals with security in terms of business 
cases and managing acceptable risk, while government tends to deal in 
regulatory absolutism. And information sharing is always a challenge. 
The advice of corporate general counsels is generally "Don.t tell 
anybody anything."

But the Y2K transition showed that effective cooperation is possible if 
government acts as a catalyst to establish priorities and bring 
different sides together, he said.

The nonpartisan think tank established the commission "to develop 
recommendations for a comprehensive strategy to improve cybersecurity in 
federal systems and in critical infrastructure." Its goal is to have a 
package of recommendations ready for the next president by November. 
Cybersecurity will be vying with numerous other domestic and 
international, economic, security and political issues for the 
presidential transition team's attention. Establishing it as a high 
priority will require putting it on the legislative and policy agenda 
from the beginning of the administration, organizers say.

Co-chairmen of the group are the former director of the U.S. National 
Security Agency, Lt. Gen. Harry Radeuge; Scott Charney, vice president 
of trustworthy computing at Microsoft; Rep. Jim Langevin (D-R.I.), 
chairman of the Homeland Security Subcommittee on Emerging Threats, 
Cyber Security and Science and Technology; and ranking Republican Rep. 
Michael McCaul of Texas. Members of the commission include Amit Yoran, 
formerly top cybersecurity official at the Homeland Security Department; 
Orson Swindle, formerly of the Federal Trade Commission; and Marty 
Stansell-Gamm, former head of the Department of Justice.s computer 
crimes division; in addition to a number of industry executives.

There was not complete agreement among panelists on cybersecurity 
priorities. They agreed that a single national data breach notification 
law is needed to replace the current patchwork of 40-plus state laws. 
Although Lisa Sotto, a partner at the law firm Hunton and Williams, 
called for federal preemption of state laws, David Mortman, chief 
information security officer-in-residence at Echelon One, wanted federal 
law to set a baseline for breach notification without precluding stiffer 
state requirements.

Julie Ferguson, vice president of emerging technology at Debix, called 
for a zero-tolerance policy for identity theft enforced by required 
verification of online transactions with consumers. Jay Foley, founder 
of the Identity Theft Resource Center, called for creation of a national 
death registry and for the Social Security Administration to create a 
database tying Social Security numbers with dates of birth to help 
prevent misuse of the numbers even though efforts are being made to stop 
their use as a unique personal identifier.

Pamela Fusco, executive vice president of security solutions at Fishnet 
Security, said she wanted to establish an International Data 
Classification Standard that could help identify and assess value and 
risk to data. This would improve business practices and help put teeth 
in government regulation, she said.

"Information is not being identified as essential," Fusco said. "We're 
protecting machines, we.re protecting access," we have not developed 
standard ways to classify and prioritize the information that underlies 
them.


_______________________________________________      
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Thu May 01 2008 - 02:03:09 PDT